Red team expert tells IT Brew about the state of the industry and how companies deploy the service

Jim Broome has been going on the offensive for three decades.

The 30-year veteran cybersecurity professional, who serves as the president and CTO of security solutions firm DirectDefense, told IT Brew at RSA 2023 that regulations and customer expectations have changed his career demands and the nature of red-team testing. In the past, red teams could charge up to $25,000 per week in a relatively hands-off operation.

“Now we’re in the land of compliance,” Broome said. “Everything’s regulated on what you can and cannot do.”

Deploy the tactic. The need for red-team services persists. Last year, as IT Brew reported, the US Census Bureau revealed important findings about internal security gleaned from a red-team attack. In the private sector, CISOs need to ensure the stability and usefulness of their products—and what better way to assess security flaws than to ask someone to attack it?

Companies aren’t shy about deploying the tactic when they need to, evidence of how it’s become an accepted part of managing risk. 1Password CEO Jeff Shiner told IT Brew that his team uses every resource available to them when developing new products in what he described as a “prophylactic approach.”

“We have everything from red teams and pen tests to the largest bug bounty,” Shiner said, adding, “What’s most important is to think of the security ahead of time, the attack vectors—but also think of what happens when the data is in fact taken so that you can continue to protect it even afterwards.”

Lying in wait. Red-team attacks also help companies by analyzing the extent of the response to the attack. Broome said he and his team gauge the response time, effectiveness of the counterattack, and the extent to which the internal security is able to push back. Most times that process is done in a set time frame, but occasionally the DirectDefense team sees how long it takes for their intrusion to be noticed—or not.

“While we’re the consultant doing the attack program, it is adversarial,” Broome said. “We’re seeing and gauging their response. What is the capability? Do they really get me out?”

Some companies have brought the tactic in-house, putting together teams of security professionals inside existing staff to work on the problem. Broome singled out Apple for using a hybrid approach including both his team and their own teams as an example.

“Back in the day, when they were slightly embarrassed about jailbreaking—now, they actually have a dedicated team in-house,” Broome said. “They still use third parties, like DirectDefense, to look at the product before it goes to market so they know the level of sophistication of the hacker that’s going to find the first four or five vulnerabilities in it.”